So after reading through Picketlink's docs I think it might be a fit, but there may be a few gaps for us. What we're looking at:

- Allow for OpenID authentication against any number of providers (assuming Google's going to be the largest)

- Allow for authentication against an internal SAML (URL is dynamic at runtime, not configured. It's assumed that specific URLs in our app will point to different SAML URLs externally).

- Allow for connections to a number of LDAP servers (ldap host is dynamic and ldap structure is dynamic).

I'm thinking we can create a new authenticator that wraps the other authenticators together and uses their logic; but perhaps connect to an EJB to do some of the database retrieval. For example, we'll know which authenticator to pick based on URL accessed (one idea at least).